Cisco Identity Services Engine on Cloud Platforms Static Credential Vulnerability
cisco-sa-ise-aws-static-cred-FPMjUcm7 · Critical · Published · Updated
A vulnerability in Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI) cloud deployments of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to access sensitive data, execute limited administrative operations, modify system configurations, or disrupt services within the impacted systems. This vulnerability exists because credentials are improperly generated when Cisco ISE is being deployed on cloud platforms, resulting in different Cisco ISE deployments sharing the same credentials. These credentials are shared across multiple Cisco ISE deployments as long as the software release and cloud platform are the same. An attacker could exploit this vulnerability by extracting the user credentials from Cisco ISE that is deployed in the cloud and then using them to access Cisco ISE that is deployed in other cloud environments through unsecured ports. A successful exploit could allow the attacker to access sensitive data, execute limited administrative operations, modify system configurations, or disrupt services within the impacted systems. Note: If the Primary Administration node is deployed in the cloud, then Cisco ISE is affected by this vulnerability. If the Primary Administration node is on-premises, then it is not affected. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-aws-static-cred-FPMjUcm7
There are no workarounds that address this vulnerability. However, there are mitigations:
Allow source IPs that use Cloud Security Groups: Allowing the source IP addresses of Customer Administrators that use security groups on cloud platforms restricts access exclusively to authorized administrators before traffic reaches the Cisco ISE instance, effectively blocking any potentially malicious connections.
Allow source IPs at Cisco ISE: In the Cisco ISE UI, allow the source IP addresses of Customer Administrators.
For fresh installations, run the application reset-config ise to reset user passwords to a new value. Running the application reset-config ise command is required only on the Primary Administration persona node in the cloud. There is no need to reset secondary nodes. If the Primary Administration persona is on-premises, running the command is not required.
Warnings:
Running the application reset-config ise command will reset Cisco ISE to the factory configuration. For details, see the Cisco ISE Configuration Guide https://www.cisco.com/c/en/us/td/docs/security/ise/3-2/cli_guide/b_ise_CLI_Reference_Guide_32/b_ise_CLIReferenceGuide_32_chapter_01.html#wp1727183819 .
If the configuration backup that is being restored was taken before the vulnerability fix was applied, the old credentials will also be restored. Cisco recommends taking a new configuration backup after installing the fix to prevent the old credentials from being restored. If an old backup has been restored, the hot fix must be removed and re-installed.
While these mitigations have been deployed and were proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.